Browse Source

Merge pull request #11598 from neheb/xsl

libxslt: update to 1.1.34
lilik-openwrt-22.03
Jiri Slachta 5 years ago
committed by GitHub
parent
commit
6108849600
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 18 additions and 239 deletions
  1. +18
    -19
      libs/libxslt/Makefile
  2. +0
    -120
      libs/libxslt/patches/100-fix-cve-2019-11068.patch
  3. +0
    -29
      libs/libxslt/patches/101-fix-cve-2019-13117.patch
  4. +0
    -71
      libs/libxslt/patches/102-fix-cve-2019-13118.patch

+ 18
- 19
libs/libxslt/Makefile View File

@ -8,24 +8,22 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=libxslt PKG_NAME:=libxslt
PKG_VERSION:=1.1.33
PKG_RELEASE:=4
PKG_VERSION:=1.1.34
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \ PKG_SOURCE_URL:= \
http://xmlsoft.org/sources/ \ http://xmlsoft.org/sources/ \
ftp://fr.rpmfind.net/pub/libxml/ ftp://fr.rpmfind.net/pub/libxml/
PKG_HASH:=8e36605144409df979cab43d835002f63988f3dc94d5d3537c12796db90e38c8
PKG_HASH:=98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7f93f7f
PKG_MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
PKG_LICENSE:=MIT PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=COPYING PKG_LICENSE_FILES:=COPYING
PKG_CPE_ID:=cpe:/a:xmlsoft:libxslt PKG_CPE_ID:=cpe:/a:xmlsoft:libxslt
PKG_MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
PKG_FIXUP:=autoreconf
PKG_INSTALL:=1 PKG_INSTALL:=1
PKG_BUILD_PARALLEL:=1
HOST_BUILD_DEPENDS:=libxml2/host HOST_BUILD_DEPENDS:=libxml2/host
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk
@ -67,8 +65,7 @@ define Package/xsltproc/description
XSLT XML transformation utility. XSLT XML transformation utility.
endef endef
CONFIGURE_ARGS+= \
--disable-silent-rules \
CONFIGURE_ARGS += \
--enable-shared \ --enable-shared \
--enable-static \ --enable-static \
--without-python \ --without-python \
@ -76,6 +73,18 @@ CONFIGURE_ARGS+= \
--without-debug \ --without-debug \
--without-mem-debug \ --without-mem-debug \
--without-debugger \ --without-debugger \
--without-profiler \
--without-plugins
HOST_CONFIGURE_ARGS += \
--with-libxml-prefix=$(STAGING_DIR_HOSTPKG) \
--without-python \
--without-crypto \
--without-debug \
--without-mem-debug \
--without-debugger \
--without-profiler \
--without-plugins
define Build/InstallDev/Xslt define Build/InstallDev/Xslt
$(INSTALL_DIR) $(1)/usr/bin $(2)/bin $(1)/usr/include/libxslt \ $(INSTALL_DIR) $(1)/usr/bin $(2)/bin $(1)/usr/include/libxslt \
@ -129,16 +138,6 @@ define Build/InstallDev
$(if $(CONFIG_PACKAGE_libexslt),$(call Build/InstallDev/Exslt,$(1),$(2))) $(if $(CONFIG_PACKAGE_libexslt),$(call Build/InstallDev/Exslt,$(1),$(2)))
endef endef
HOST_CONFIGURE_ARGS+= \
--disable-silent-rules \
--enable-static \
--with-libxml-prefix=$(STAGING_DIR_HOSTPKG) \
--without-python \
--without-crypto \
--without-debug \
--without-mem-debug \
--without-debugger
define Package/libxslt/install define Package/libxslt/install
$(INSTALL_DIR) $(1)/usr/lib $(INSTALL_DIR) $(1)/usr/lib
$(CP) \ $(CP) \


+ 0
- 120
libs/libxslt/patches/100-fix-cve-2019-11068.patch View File

@ -1,120 +0,0 @@
From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 24 Mar 2019 09:51:39 +0100
Subject: [PATCH] Fix security framework bypass
xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
don't check for this condition and allow access. With a specially
crafted URL, xsltCheckRead could be tricked into returning an error
because of a supposedly invalid URL that would still be loaded
succesfully later on.
Fixes #12.
Thanks to Felix Wilhelm for the report.
---
libxslt/documents.c | 18 ++++++++++--------
libxslt/imports.c | 9 +++++----
libxslt/transform.c | 9 +++++----
libxslt/xslt.c | 9 +++++----
4 files changed, 25 insertions(+), 20 deletions(-)
diff --git a/libxslt/documents.c b/libxslt/documents.c
index 3f3a7312..4aad11bb 100644
--- a/libxslt/documents.c
+++ b/libxslt/documents.c
@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
int res;
res = xsltCheckRead(ctxt->sec, ctxt, URI);
- if (res == 0) {
- xsltTransformError(ctxt, NULL, NULL,
- "xsltLoadDocument: read rights for %s denied\n",
- URI);
+ if (res <= 0) {
+ if (res == 0)
+ xsltTransformError(ctxt, NULL, NULL,
+ "xsltLoadDocument: read rights for %s denied\n",
+ URI);
return(NULL);
}
}
@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
int res;
res = xsltCheckRead(sec, NULL, URI);
- if (res == 0) {
- xsltTransformError(NULL, NULL, NULL,
- "xsltLoadStyleDocument: read rights for %s denied\n",
- URI);
+ if (res <= 0) {
+ if (res == 0)
+ xsltTransformError(NULL, NULL, NULL,
+ "xsltLoadStyleDocument: read rights for %s denied\n",
+ URI);
return(NULL);
}
}
diff --git a/libxslt/imports.c b/libxslt/imports.c
index 874870cc..3783b247 100644
--- a/libxslt/imports.c
+++ b/libxslt/imports.c
@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
int secres;
secres = xsltCheckRead(sec, NULL, URI);
- if (secres == 0) {
- xsltTransformError(NULL, NULL, NULL,
- "xsl:import: read rights for %s denied\n",
- URI);
+ if (secres <= 0) {
+ if (secres == 0)
+ xsltTransformError(NULL, NULL, NULL,
+ "xsl:import: read rights for %s denied\n",
+ URI);
goto error;
}
}
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 13793914..0636dbd0 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
*/
if (ctxt->sec != NULL) {
ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
- if (ret == 0) {
- xsltTransformError(ctxt, NULL, inst,
- "xsltDocumentElem: write rights for %s denied\n",
- filename);
+ if (ret <= 0) {
+ if (ret == 0)
+ xsltTransformError(ctxt, NULL, inst,
+ "xsltDocumentElem: write rights for %s denied\n",
+ filename);
xmlFree(URL);
xmlFree(filename);
return;
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
index 780a5ad7..a234eb79 100644
--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
int res;
res = xsltCheckRead(sec, NULL, filename);
- if (res == 0) {
- xsltTransformError(NULL, NULL, NULL,
- "xsltParseStylesheetFile: read rights for %s denied\n",
- filename);
+ if (res <= 0) {
+ if (res == 0)
+ xsltTransformError(NULL, NULL, NULL,
+ "xsltParseStylesheetFile: read rights for %s denied\n",
+ filename);
return(NULL);
}
}
--
2.18.1

+ 0
- 29
libs/libxslt/patches/101-fix-cve-2019-13117.patch View File

@ -1,29 +0,0 @@
From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 27 Apr 2019 11:19:48 +0200
Subject: [PATCH] Fix uninitialized read of xsl:number token
Found by OSS-Fuzz.
---
libxslt/numbers.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index 89e1f668..75c31eba 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
tokens->tokens[tokens->nTokens].token = val - 1;
ix += len;
val = xmlStringCurrentChar(NULL, format+ix, &len);
- }
+ } else {
+ tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
+ tokens->tokens[tokens->nTokens].width = 1;
+ }
} else if ( (val == (xmlChar)'A') ||
(val == (xmlChar)'a') ||
(val == (xmlChar)'I') ||
--
2.21.0

+ 0
- 71
libs/libxslt/patches/102-fix-cve-2019-13118.patch View File

@ -1,71 +0,0 @@
From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 3 Jun 2019 13:14:45 +0200
Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
The character type in xsltFormatNumberConversion was too narrow and
an invalid character/length combination could be passed to
xsltNumberFormatDecimal, resulting in an uninitialized read.
Found by OSS-Fuzz.
---
libxslt/numbers.c | 5 +++--
tests/docs/bug-222.xml | 1 +
tests/general/bug-222.out | 2 ++
tests/general/bug-222.xsl | 6 ++++++
4 files changed, 12 insertions(+), 2 deletions(-)
create mode 100644 tests/docs/bug-222.xml
create mode 100644 tests/general/bug-222.out
create mode 100644 tests/general/bug-222.xsl
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index f1ed8846..20b99d5a 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
number = floor((scale * number + 0.5)) / scale;
if ((self->grouping != NULL) &&
(self->grouping[0] != 0)) {
+ int gchar;
len = xmlStrlen(self->grouping);
- pchar = xsltGetUTF8Char(self->grouping, &len);
+ gchar = xsltGetUTF8Char(self->grouping, &len);
xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
format_info.integer_digits,
format_info.group,
- pchar, len);
+ gchar, len);
} else
xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
format_info.integer_digits,
diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
new file mode 100644
index 00000000..69d62f2c
--- /dev/null
+++ b/tests/docs/bug-222.xml
@@ -0,0 +1 @@
+<doc/>
diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
new file mode 100644
index 00000000..e3139698
--- /dev/null
+++ b/tests/general/bug-222.out
@@ -0,0 +1,2 @@
+<?xml version="1.0"?>
+1⠢0
diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
new file mode 100644
index 00000000..e32dc473
--- /dev/null
+++ b/tests/general/bug-222.xsl
@@ -0,0 +1,6 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+ <xsl:decimal-format name="f" grouping-separator="⠢"/>
+ <xsl:template match="/">
+ <xsl:value-of select="format-number(10,'#⠢0','f')"/>
+ </xsl:template>
+</xsl:stylesheet>
--
2.21.0

Loading…
Cancel
Save